Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
130s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
16/03/2023, 21:08
Static task
static1
Behavioral task
behavioral1
Sample
0bd2d2249f2eb09386e1027bef7431421ddb934146c82a275572bf83a74edd97.exe
Resource
win10v2004-20230220-en
General
-
Target
0bd2d2249f2eb09386e1027bef7431421ddb934146c82a275572bf83a74edd97.exe
-
Size
791KB
-
MD5
80b56b758c631c6e138eb8cac4514370
-
SHA1
30244ab823eb3ed089342c936065008f0e15b77a
-
SHA256
0bd2d2249f2eb09386e1027bef7431421ddb934146c82a275572bf83a74edd97
-
SHA512
8614d4b0897358311d85c87e92bde5e497ce732e5d02bafdacb155fdf0675a174d4b7262fdfbe7c7ec03518430b5cedc5d0ac4446947a315c912f41193d632b1
-
SSDEEP
24576:NyjmbfcnglYqdz6qWrqirvXkV3v0ph+EB:ojmDcnglYkz6/qiTXcKh+
Malware Config
Extracted
redline
mango
193.233.20.28:4125
-
auth_value
ecf79d7f5227d998a3501c972d915d23
Extracted
redline
laba
193.233.20.28:4125
-
auth_value
2cf01cffff9092a85ca7e106c547190b
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" c12YJ78.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection b1684Ef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" b1684Ef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" b1684Ef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" b1684Ef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" b1684Ef.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection c12YJ78.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" c12YJ78.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" b1684Ef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" c12YJ78.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" c12YJ78.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" c12YJ78.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 19 IoCs
resource yara_rule behavioral1/memory/2736-200-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline behavioral1/memory/2736-201-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline behavioral1/memory/2736-203-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline behavioral1/memory/2736-205-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline behavioral1/memory/2736-207-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline behavioral1/memory/2736-209-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline behavioral1/memory/2736-211-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline behavioral1/memory/2736-213-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline behavioral1/memory/2736-215-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline behavioral1/memory/2736-217-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline behavioral1/memory/2736-219-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline behavioral1/memory/2736-221-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline behavioral1/memory/2736-223-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline behavioral1/memory/2736-225-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline behavioral1/memory/2736-227-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline behavioral1/memory/2736-229-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline behavioral1/memory/2736-231-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline behavioral1/memory/2736-233-0x00000000050B0000-0x00000000050EE000-memory.dmp family_redline behavioral1/memory/2736-471-0x0000000004AF0000-0x0000000004B00000-memory.dmp family_redline -
Executes dropped EXE 6 IoCs
pid Process 3732 tice3846.exe 2432 tice2077.exe 1096 b1684Ef.exe 4940 c12YJ78.exe 2736 dWwVL43.exe 972 e07jw50.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" b1684Ef.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features c12YJ78.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" c12YJ78.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 0bd2d2249f2eb09386e1027bef7431421ddb934146c82a275572bf83a74edd97.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 0bd2d2249f2eb09386e1027bef7431421ddb934146c82a275572bf83a74edd97.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce tice3846.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" tice3846.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce tice2077.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" tice2077.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4080 sc.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 4172 4940 WerFault.exe 95 520 2736 WerFault.exe 99 -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1096 b1684Ef.exe 1096 b1684Ef.exe 4940 c12YJ78.exe 4940 c12YJ78.exe 2736 dWwVL43.exe 2736 dWwVL43.exe 972 e07jw50.exe 972 e07jw50.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1096 b1684Ef.exe Token: SeDebugPrivilege 4940 c12YJ78.exe Token: SeDebugPrivilege 2736 dWwVL43.exe Token: SeDebugPrivilege 972 e07jw50.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1176 wrote to memory of 3732 1176 0bd2d2249f2eb09386e1027bef7431421ddb934146c82a275572bf83a74edd97.exe 84 PID 1176 wrote to memory of 3732 1176 0bd2d2249f2eb09386e1027bef7431421ddb934146c82a275572bf83a74edd97.exe 84 PID 1176 wrote to memory of 3732 1176 0bd2d2249f2eb09386e1027bef7431421ddb934146c82a275572bf83a74edd97.exe 84 PID 3732 wrote to memory of 2432 3732 tice3846.exe 85 PID 3732 wrote to memory of 2432 3732 tice3846.exe 85 PID 3732 wrote to memory of 2432 3732 tice3846.exe 85 PID 2432 wrote to memory of 1096 2432 tice2077.exe 86 PID 2432 wrote to memory of 1096 2432 tice2077.exe 86 PID 2432 wrote to memory of 4940 2432 tice2077.exe 95 PID 2432 wrote to memory of 4940 2432 tice2077.exe 95 PID 2432 wrote to memory of 4940 2432 tice2077.exe 95 PID 3732 wrote to memory of 2736 3732 tice3846.exe 99 PID 3732 wrote to memory of 2736 3732 tice3846.exe 99 PID 3732 wrote to memory of 2736 3732 tice3846.exe 99 PID 1176 wrote to memory of 972 1176 0bd2d2249f2eb09386e1027bef7431421ddb934146c82a275572bf83a74edd97.exe 107 PID 1176 wrote to memory of 972 1176 0bd2d2249f2eb09386e1027bef7431421ddb934146c82a275572bf83a74edd97.exe 107 PID 1176 wrote to memory of 972 1176 0bd2d2249f2eb09386e1027bef7431421ddb934146c82a275572bf83a74edd97.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\0bd2d2249f2eb09386e1027bef7431421ddb934146c82a275572bf83a74edd97.exe"C:\Users\Admin\AppData\Local\Temp\0bd2d2249f2eb09386e1027bef7431421ddb934146c82a275572bf83a74edd97.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice3846.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice3846.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3732 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice2077.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice2077.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1684Ef.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1684Ef.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1096
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c12YJ78.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c12YJ78.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4940 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 10805⤵
- Program crash
PID:4172
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dWwVL43.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dWwVL43.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2736 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 16964⤵
- Program crash
PID:520
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e07jw50.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e07jw50.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:972
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4940 -ip 49401⤵PID:408
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2736 -ip 27361⤵PID:1144
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:4080
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD5478e884952392c14b85cca1a6a4f3e35
SHA1f3475db1427fec3eedf583f1b7b0f839b27f8d74
SHA256bc576bf5f9a72ebbfbc11e59b8e384a1923eca8ec6c5234313c37865f74b7413
SHA512b3a1c504d2a108049a5ee193da2f1bcdd99d269e75f08199c3fccedc0de298996418421b5e48d5c0f582bf775087537ff8f83c341ed2c0cbbcf38e956bffebe9
-
Filesize
175KB
MD5478e884952392c14b85cca1a6a4f3e35
SHA1f3475db1427fec3eedf583f1b7b0f839b27f8d74
SHA256bc576bf5f9a72ebbfbc11e59b8e384a1923eca8ec6c5234313c37865f74b7413
SHA512b3a1c504d2a108049a5ee193da2f1bcdd99d269e75f08199c3fccedc0de298996418421b5e48d5c0f582bf775087537ff8f83c341ed2c0cbbcf38e956bffebe9
-
Filesize
646KB
MD52e7b2492f146f3430d8457d07f1b838f
SHA15289eb569a9ee4e8be03e46c5f66c12ced52729f
SHA2568325bd4401c793ee3cd0b4102f41c7388ecd6941d1315b9333dce22cbe759e46
SHA512a48caa824e3e083ecd83a52d9dc0ce74d87d273d871a99a19776eb3eabecc748d069bc06e03396cde87e646c8542b485318b1c6f0d9c9a3cbeb6566955248dd6
-
Filesize
646KB
MD52e7b2492f146f3430d8457d07f1b838f
SHA15289eb569a9ee4e8be03e46c5f66c12ced52729f
SHA2568325bd4401c793ee3cd0b4102f41c7388ecd6941d1315b9333dce22cbe759e46
SHA512a48caa824e3e083ecd83a52d9dc0ce74d87d273d871a99a19776eb3eabecc748d069bc06e03396cde87e646c8542b485318b1c6f0d9c9a3cbeb6566955248dd6
-
Filesize
283KB
MD527b307972eb7d6697a26e274b9e19cfd
SHA189e0dce99494161cb5be08c13e702f419ab51432
SHA2562bceb69ad10ed10fa44ddacd997ec5a165b132804c2daeb62b72974727d70d3f
SHA5124f804356a6de31734f50d7099c465bd8d37b2428be98712a36ceb97bee254d6e8fb37707ce62044a3f6cf3f85336cce4d8269994ad91273df07baacc39b90160
-
Filesize
283KB
MD527b307972eb7d6697a26e274b9e19cfd
SHA189e0dce99494161cb5be08c13e702f419ab51432
SHA2562bceb69ad10ed10fa44ddacd997ec5a165b132804c2daeb62b72974727d70d3f
SHA5124f804356a6de31734f50d7099c465bd8d37b2428be98712a36ceb97bee254d6e8fb37707ce62044a3f6cf3f85336cce4d8269994ad91273df07baacc39b90160
-
Filesize
323KB
MD5d9cbd09054f73590f0f59b5185612998
SHA1d0364465b56cb85129856ad4d792e3dff9751464
SHA256091e555e9b0d04f0a15c3b47d35ea07cedfacd2244015ae926bb44b0b426ba58
SHA5124ef2b2fd3763f5f4ab27fe37a1b93a4babddaac0033ad5be6e6f3a19b52b9d150d9703c041fa7530302cc9e91c35e3f2a9a71f299ae7a1809863577fc9aa2b86
-
Filesize
323KB
MD5d9cbd09054f73590f0f59b5185612998
SHA1d0364465b56cb85129856ad4d792e3dff9751464
SHA256091e555e9b0d04f0a15c3b47d35ea07cedfacd2244015ae926bb44b0b426ba58
SHA5124ef2b2fd3763f5f4ab27fe37a1b93a4babddaac0033ad5be6e6f3a19b52b9d150d9703c041fa7530302cc9e91c35e3f2a9a71f299ae7a1809863577fc9aa2b86
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
225KB
MD5825920d57cab7dfda81a544bd6043839
SHA1cb23f65202c2263fa8c93dfd7949071817d3c3dc
SHA256ef155beee01e08123ab0f759217cf00c50f5bc0f7d5bf75040eb9a338be46a03
SHA51292ab001f5b1d175b924af20fd688efdc689ee90fdefae1ebaccc12171ddff9fb3f6ed08b069918f1ac41fea256c6ad98d5e138c5c496289bdfafd0edc4e0af22
-
Filesize
225KB
MD5825920d57cab7dfda81a544bd6043839
SHA1cb23f65202c2263fa8c93dfd7949071817d3c3dc
SHA256ef155beee01e08123ab0f759217cf00c50f5bc0f7d5bf75040eb9a338be46a03
SHA51292ab001f5b1d175b924af20fd688efdc689ee90fdefae1ebaccc12171ddff9fb3f6ed08b069918f1ac41fea256c6ad98d5e138c5c496289bdfafd0edc4e0af22